Entertainment

Is Apple Losing Its Grip on App Store Security?

The iOSApp Store was created so that users could download and operate apps in a secure space. Theoretically, an application would not be able to execute malware on a device or purvey copyright infringing content. And all applications would pass under Apple's watchful eye.

However, developers who wish to bend the rules or try to defraud users of their money and sensitive information are finding new avenues by which to accomplish their goals.

The problem is that the guarantor of App Store security, Apple itself, has been lax as of late, allowing apps of dubious copyright status to slip through the cracks — especially when it comes to games. For example, a fake Pokemon Yellow app appeared on Feb. 17. This app was obviously not published by Nintendo, yet it managed to get through the approval process and, despite crash reports and a large number of one-star reviews, shot all the way up to number-one before disappearing the evening of Feb. 20.

Whether Apple pulled the app is unknown. The app developer may have simply cashed in its chips, removing the app early so it would be paid. Reportedly, if Apple pulls down an app, its developer won't be compensated.

Although it's to be expected that an occasional app will slip through the cracks, the approval process is imperfect. When blatant license violations aren't red-flagged, one wonders whether the approval process is trustworthy.

Furthermore, unreliable apps put users' data at risk. While an app can't access location services or photos (which iOS embeds with EXIF data, including geolocation) without express permission from the user, a device's contacts are not protected. Recently, Path controversially accessed its users' contacts without explicit permission. Contact access prompting will be addressed in a future version of iOS, but the move will exclude older iOS version and users who do not or cannot upgrade. And in the meantime, there's no way of knowing which apps can access contacts or not. Unlike the Android Market, an iOS app's permissions are not explicitly stated prior to downloading and installing an app.

Some apps may leave users vulnerable to security holes. On Feb. 18, a known iOS jailbreak developer tweeted about an app that could contain a vulnerability used to jailbreak iOS 5.1. He suggested people download the app before Apple pulled it from the App Store. As of Feb. 24, it was still on the App Store, and had not been updated to patch that vulnerability.

If an unscrupulous developer got its hands on this sort of vulnerability, it could potentially execute malware for users who install these kinds of apps. However, the iOS dev team has discovered exploits solely for the sake of jailbreaking and unlocking. Even when "userland" exploits like the PDF vulnerability are discovered, a patch was released on Cydia to prevent the vulnerability, but only after jailbreaking. Ironically, jailbreaking the device was a way to make it safer, as potentially any PDF file downloaded through the browser on an unpatched iOS version could be hazardous.

Temple Run appears to be the current target for copiers; several apps that mimic its icon and name have been released in the App Store, hoping to springboard off of the game's popularity. These include original, yet crudely developed games like Temple Guns, along with non-functioning apps like Temple Jump. Both jumped to the top of the charts before disappearing. In the curated App Store, where Apple approves every app for sale, these types of apps should raise red flags, but they have managed to get through by piggybacking on the Temple Run name and logo.

Even smaller developers have been caught in the crossfire. In 2011, The Blocks Cometh was a victim of cloning, when a developer copied its Flash game almost exactly. The developer also stole art assets from another game, League of Evil, and released the game in the App Store. It took not just emails from Halfbot to Apple to resolve the issue, but also several angry articles in the gaming media to eventually expose the app as a fraud.

Over time, the cumulative effect of these oversights could be disastrous. If user confidence falls, then the impulse buy could disappear, surmised Phill Ryu, one of the developers of Clear. Right now, users generally trust the App Store to not steal their information, to have legitimate products and information, but that all changes once they get ripped off by an app.

Even an app's popularity ranking can't necessarily be trusted. It is becoming increasingly possible for outside sources to illegitimately bump apps up the charts. One service claims that it has access to a number of iTunes accounts, which is can use to jump up the charts, without the app actually gaining a notable number of new users.

These holes in security risk dishearten the independent developers who make up the heart of the App Store. One developer, Frank Condello of one-man studio Chaotic Box, expressed his feelings through artwork on Twitter. He told me that he's "disappointed that Apple is still approving scams, despite its own rules." He points out that the developer of the aforementioned Temple Jump "still has 20+ active apps/scams," such as Angry Ninja Birds and Zombie Air Highway, which riff on Angry Birds and Zombie Highway, respectively.

More people have figured out the system's vulnerabilities, and have subsequently learned how to exploit them for their own gain. Given the size of the App Store and the number of apps it contains, it may be difficult for Apple to catch up and monitor store activity. Some apps will fall through the cracks — it's to be expected. But in the meantime, the number of cracks continues to increase.

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.